I'm working on a really old solution that's running ASP.NET 4.0, and there is some code that retrieves a bounceback email address from the Web.config (var email = Configuration.AppSettings["bounceback"]). This bounceback email, in the Web.config, is just defined as a plain old email address (no formatted string taking in any input, etc.).
However, I'm getting a Resource Injection alert when I run a static code analysis scan on my solution. It says that that particular line is a resource identifier argument, and that users shouldn't be able to blindly provide values that point to system resources.
I'm 99% sure that this is a false positive, as users have no control over what value the variable is assigned. But I want to make sure that there isn't anything else at play? Is there another, safer way to retrieve Web.config settings that would ensure no user interference?